Introduction

I didn't know much about the server, so I decided to rent a VPS server with "Sakura's VPS" and try it out. I didn't understand the mechanism and method of "public key authentication" and had a hard time, so I will summarize it here as a record.

environment

・ Sakura's VPS -CentOS Linux release 7.8.2003

What is public key authentication?

If you log in to the server with password authentication, it is dangerous because a third party can log in if the password is broken, but if you use public key authentication, you can log in safely without using a password. Public key authentication is performed by generating and using a pair of public key and private key. The two keys have the following characteristics.

・ You cannot make a signature without a private key ・ The public key can be used to verify whether the signature is correct (with the corresponding private key).

After generating the public key and private key on the client side, the public key is registered in the connection destination server, and the private key is stored only on the client side. At login, if the public key registered on the server matches the private key presented by the client, the login is successful.

SSH公開鍵認証.png

Actual procedure

Public / private key generation

From here, we will use "Tera Term". You can download TeraTerm from https://ja.osdn.net/projects/ttssh2/. 　 (1) Click "SSH key generation" in the setting menu of "TeraTerm". (2) The following screen will be displayed. Click "Create". (3) When "Generate" is executed, the "Passphrase" and "Comment" at the bottom of the screen can be entered. (You will be asked to enter the passphrase when you log in and use the private key. You can generate it even if it is blank.)

(4) Finally, click "Save public key" and "Save private key" at the bottom of the screen to save the key.

"Id_rsa.pub" is the public key and "id_rsa" is the private key.

Public key registration

(1) Register the public key on the server side. Log in to the server with TeraTerm and drag and drop "id_rsa.pub" onto the TeraTerm window. The following window will be displayed. Set an arbitrary folder and click the "Send" button. (2) I sent the public key to the directory on the server, but I haven't registered it yet. Register the public key in the ~ / .ssh / authorized_keys file with the following command.

$ cat id_rsa.pub >> .ssh/authorized_keys

ʻChange the permissions of authorized_keys`. (Make it inaccessible to anyone other than the owner.)

$ chmod 600 .ssh/authorized_keys

This completes key registration. On the SSH authentication screen, check RSA / DSA / ECDSA / ED25519 and specify the generated private key. If you can log in with that, it's OK.

Disable password authentication

Finally, change the settings so that you cannot log in with a password. Enter the following command to open the edit screen for the / etc / ssh / sshd_config file.

# vim /etc/ssh/sshd_config

Modify the following parts of this file:

PasswordAuthentication yes　→　PasswordAuthentication no

After saving the modified file, reload the settings.

# systemctl reload sshd.service

If the key authentication settings are not correct, you will not be able to log in from TeraTerm when password authentication is disabled. In that case, log in from the VNC console and undo the changes in / etc / ssh / sshd_config.

Set public key authentication when connecting with SSH in Teraterm